krb5login: make redirecting safer

Originally, the krb5login page would allow redirects to any URLs, e.g. to Google using http://$HOSTNAME/auth/krb5login/?next=//www.google.com. This commit implements similar sanitization of REDIRECT_FIELD_NAME like Django does in its LoginView. Related: https://github.com/django/django/blob/8fcb9f1f106cf60d953d88aeaa412cc625c60029/django/contrib/auth/views.py#L43C18-L43C18
release-engineering · Dec 4, 2023 · 1ca76a7 · 1ca76a7
1 parent 9caa781
commit 1ca76a7
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/kobo/hub/views.py b/kobo/hub/views.py
@@ -10,6 +10,7 @@
 from django.shortcuts import render, get_object_or_404
 from django.urls import reverse
 from django.views.generic import RedirectView
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from kobo.hub.models import Arch, Channel, Task
 from kobo.hub.forms import TaskSearchForm
@@ -241,11 +242,16 @@ def krb5login(request, redirect_field_name=REDIRECT_FIELD_NAME):
     middleware = 'kobo.django.auth.middleware.LimitedRemoteUserMiddleware'
     if middleware not in settings.MIDDLEWARE:
         raise ImproperlyConfigured("krb5login view requires '%s' middleware installed" % middleware)
-    redirect_to = request.POST.get(redirect_field_name, "")
-    if not redirect_to:
-        redirect_to = request.GET.get(redirect_field_name, "")
-    if not redirect_to:
-        redirect_to = reverse("home/index")
+
+    redirect_to = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name))
+    url_is_safe = url_has_allowed_host_and_scheme(
+            url=redirect_to,
+            allowed_hosts=request.get_host(),
+            require_https=request.is_secure(),
+    )
+    if not url_is_safe:
+        redirect_to = reverse(settings.LOGIN_REDIRECT_URL)
+
     return RedirectView.as_view(url=redirect_to, permanent=True)(request)
 
 def oidclogin(request):